Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3514
Views
0
Helpful
2
Replies

ESA deployment architecture

Go to solution
engineer girl
Level 1
Level 1

‎09-29-2015 02:25 AM

Hi,

i deployed en ESA C380 at cutomer with two armed like shown on the diagram below, now the customer want to change the architecture to 1 armed, because for him, two armed is not secure sinc the dmz is connected to lan

 

the appliance is on production, and there is risk to change configuration cause we have to reinstall  the ESA

 

2nd Scénario is to create another DMZ for the private listner, so it will be not connected to lan anymore but to the firewall, so all traffic will be redirected to firewall before getting to ESA, i don't know if this scenario will works and  what is the impact when changing the architecture

 

Also i want to know if when we deployed in one armed, is there any latency in queue knowing that the flow is 2000 mail per hour

 

Regards

 

 

Labels:
2nd_scenario.png
Preview file
72 KB
227424.jpg
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Hrvoje (Harry) Dogan
Cisco Employee
Cisco Employee

‎09-29-2015 02:38 AM

Hi there,

 

You don't really need to reinstall the unit - if you can allocate another IP address on the physical interface where the public listener is, create a new IP interface on the ESA bound to that physical interface. Then in the Private listener settings, just bind that listener to the new interface.

Of course, you need to make sure that the ESA can reach local mail servers correctly from the DMZ (and vice-versa). 

 

Another approach, if you have not done much customization of the HAT on the private listener, is to just add the "RELAYLIST" sender group to the public listener and use a single listener to receive incoming mail and accept outgoing. Just copy all the settings of the "RELAYED" mail flow policy from private listener to the public, and do the same for "RELAYLIST" sender group.

 

I would also suggest to reach out to your local Cisco Security Consulting Systems Engineer for advice.

 

Hope that helps!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Hrvoje (Harry) Dogan
Cisco Employee
Cisco Employee

‎09-29-2015 02:38 AM

Hi there,

 

You don't really need to reinstall the unit - if you can allocate another IP address on the physical interface where the public listener is, create a new IP interface on the ESA bound to that physical interface. Then in the Private listener settings, just bind that listener to the new interface.

Of course, you need to make sure that the ESA can reach local mail servers correctly from the DMZ (and vice-versa). 

 

Another approach, if you have not done much customization of the HAT on the private listener, is to just add the "RELAYLIST" sender group to the public listener and use a single listener to receive incoming mail and accept outgoing. Just copy all the settings of the "RELAYED" mail flow policy from private listener to the public, and do the same for "RELAYLIST" sender group.

 

I would also suggest to reach out to your local Cisco Security Consulting Systems Engineer for advice.

 

Hope that helps!

0 Helpful

Go to solution
Mohamed Ali Abdullah
Level 1
Level 1

‎09-16-2018 07:27 PM

Hi All,

 

I am new in Gateway deployment. I have a vESA appliance and planned to have two armed connection. First vESA connection to DMZ and the second will be connected to internal network which will talk to Microsoft Exchange 2010.

 

Need you help and advise on how to configure the vESA.

0 Helpful
Customers Also Viewed These Support Documents
Top